Am Sat, 5 Jun 2021 15:27:40 +0200 schrieb Stefan Kania stefan@kania-online.de:
Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10 with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up everything via Ansible. My configure-options are:
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --enable-local --enable-spasswd --disable-sq l
--prefix=/opt/openldap-current
In addition I build:
/opt/openldap-current/contrib/slapd-modules/passwd/sha2 /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2 /opt/openldap-current/contrib/slapd-modules/passwd/totp/
"make test" is runnning without any error.
The setup is running without any error, here my cn=config:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-current/var/run/slapd.args olcLogLevel: sync olcLogLevel: stats olcLogLevel: stats olcPidFile: /opt/openldap-current/var/run/slapd.pid olcToolThreads: 1 olcTLSCertificateFile: /opt/openldap-current/etc/my_certificates/ldap25-p01-ce rt.pem olcTLSCertificateKeyFile: /opt/openldap-current/etc/my_certificates/ldap25-p01 -key.pem olcTLSCACertificateFile: /opt/openldap-current/etc/my_certificates/cacert.pem olcPasswordHash: {TOTP1}
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl dap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_monitor olcModuleLoad: {2}pw-totp.la olcModuleLoad: {3}autoca.la
... schema....
dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by * break olcRootDN: cn=admin,cn=config olcRootPW:
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /opt/openldap-current/var/lib/ldap olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
- non
e olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unl imited size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920
dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}totp
dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutoCAConfig olcOverlay: {1}autoca olcAutoCAuserKeybits: 4096 olcAutoCAserverKeybits: 4096 olcAutoCAKeybits: 4096
After a few minutes or if I restart slapd I get the following error-message: --------------------- Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5 (Jun 5 2021 14:07:21) $
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({TOTP1}) Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing cn=config: <olcPasswordHash> no valid hashes found
I used the documentation from symas for configuring TOTP. What's wrong and why is slapd starting after configuration but chrashes when I restart slapd?
Have a look at this blog entry. dated 2015. https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.htm...
-Dieter